Practical Malware Analysis : Lab 1-4

Tools used:

  • PEview
  • PEiD
  • Dependency Walker
  • Malcode Analyst Pack
  • Resource Hacker


1. Upload the Lab01-04.exe file to Does it match any existing antivirus definitions?

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

No indication from PEview

3. When was this program compiled?

This is a fake compiled date as the labs and instruction were created in 2014.

4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?


  • The program does something with permissions.


Loads data from

  • LoadResource
  • FindResourceA
  • SizeofResource

Writes a file to disk

  • CreateFileA
  • WriteFile

Executes the file

  • WinExec

5. What host- or network-based indicators could be used to identify this malware on infected machines?

Use the strings program

6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

Use Resource Hacked to analyze the file.

The string “This program cannot be run in DOS mode” indicates there is an additional exe file.

Head to action and save as binary file and open the file in PEview.

This exe access to the network functions. It calls URLDownloadToFile and WinExec that executes the file.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s